Forum Discussion
philly888
Microsoft
MicrosoftMS Sentinel Connector Cost Planning
Hi
Are there suggestions on how to plan for new connectors after a trial period has ended on sentinel? There are many connectors available both MS and 3rd party ones. If for instance I wanted to get an idea of the number of events or the size of data so I can input into the calculator?
i.e. For MS Defender for Office, there is a KQL query that will show me my current usage by table and event in security.microsoft.com which is a good indication.
https://azurecloudai.blog/2022/05/11/estimating-the-size-of-the-m365-advanced-tables-for-microsoft-sentinel-enablement/
But for third party connectors I was thinking of creating a temporary LA workspace and funnel the logs in here for a short period to see what events and size we are dealing with so we don't have to pay ingestion charges on sentinel to assess what the costs would be?
- When you have the data (in the temp workspace), you can use "Sentinel Cost" or "Workspace Usage" Workbooks to understand he costs / GB per day. Both have KQL you can use
also see
https://azurecloudai.blog/2020/07/15/visualizing-azure-sentinel-billable-data-by-solution-and-data-type/
and
https://azurecloudai.blog/2021/07/14/how-to-estimate-eps-and-gb-per-day-for-azure-sentinel-costs/
philly888Thanks Clive, Ill give that a go
